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METHOD AND APPARATUS FOR IDENTIFYING A PACKET TRACING 
PACKETS 

5 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION: 

[001] The present invention relates generally to the field of network security and 

iO more specifically to using low overhead methods for identifying paek-efethe intrusion 
, k afto; >j j p,n kej h i nef\ ork. 

DESCRIPTION OF PRIOR ART: 

1002] Availability of low cost computers, h igh speed networking products., and 

15 readily available network connections has helped fuel proliferation of the internet. This 
proliferation has caused the Internet to become an essential tool for both the business 
community and private individuals. Dependence on the Internet arises, in part, because 
the Internet makes it possible for multitudes of users to access vast amounts of 
information and perform remote transactions expeditiously and efficiently. Along with 

20 [[the JJrapid growth of the Internet have come problems caused by malicious individuals 
or pranksters launching attacks from within the network. As the size of the Internet 
continues to grow, so does the threat posed by these individuals. 
j003] The ever-increasing number of computers, routers and connections 

making up the Internet increases the number of vulnerability points from which these 

25 malicious individuals can launch attacks. These attacks can be focused on the Internet as 
a whole or on specific devices, such as hosts or computers, connected to the network. In 
feci, each router, switch, or computer connected to the Internet may be a potential entry 
point from which a malicious individual can launch an attack while remaining largely 
undetected. Attacks carried out on the Internet often consist of malicious packets being 

30 injected into the network, Malicious packets can be injected directly into the network by 
a. computer, or a device attached to the network, such as a router or switch[[, ]]. Such a 
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computer or device can be compromised and configured to place malicious packets onto 
the network. 

[004) The most publicized forms of network attacks often involve placing 

35 thousands or millions of packets onto the network using a practice known asjhoding. 
The flood of packets can be targeted to a specific device on the network; for example a 
corporate web site, thus causing the device to become overwhelmed and shutdown. 
Alternatively, an attack may be designed to clog the links, or connection points, between 
network components. Network attacks can be further enhanced using a practice known 

40 as spoofing. Spoofing involves associating bogus internet Protocol (IP) addresses with 
[[the Jjtransmitted packets, thus making the packets! origins impossible to determine 
based upon looking only at a received packet. Spoofing can be further enhanced using a 
technique referred to as transformation. When a packet is transformed, it undergoes a 
process that changes the original packet into a new packet, as, for example, would happen 

45 during tunneling or network address translation (NAT). Locating the origin of a network 
attack is further complicated because coordinated attacks can be employed. In a 
coordinated attack, multiple network devices are compromised and then used to launch a 
distributed attack A distribu ted attack is one that is launched essentially simultaneously 
from several locations within the network. 

50 |005] Network attacks can also be launched rising a single packet. While single 

packet attacks are not as well publicized as multi-packet attacks, they are becoming more 
common and they are capable of inflicting significant damage to v ulnerable networks. At 
present, it is extremely difficult to detect single packet attacks in a timely manner using 
known methods of intrusion detection, which exacerbates the challenge in dealing with 

55 them. As a result, network data, currently,, must be analyzed after the fact to determine if 
a single packet attack was the source of disruption. Any tracing of the single packet to its 
origins, in accordance with prior art techniques, must also take place after the attacking 
packet traversed the network. 

[006] Much of the difficulty in identifying the origin of an attack arises because 

60 the Internet employs a stateless routing infrastructure, in that it is one in which routing is 
based solely on destination addresses. Although source IP addresses may be transmitted 
with data, they are easy to forge, and as a result they are untrustworthy. A forged source 
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address may bear no similarity to the actual source address from which the packet came. 
As a result, most prior art techniques avid devices foi preventing network attacks attempt 

65 to stop delivery of malicious packets at the ultimate destination device rather than 

attempting to locate their origin. Such origin is referred to as an entry point, also referred 
to as an ingress point or intrusion location, onto the network. Failing to identify the 
source address of malicious packets inhibits preventing further attacks, and such failure 
makes identification of the actual perpetrator difficult 

70 Figure 1 

[007] Fig. 1 provides an example of a network employing prior art devi ces to 

thwart malicious packets. Two prior art autonomous systems are shown, PAS1 and 
PAS2, respectively, connected to the internet, or public network (PNi) shown comprised 
of routers R2-R6. An autonomous system (AS) is a network domain in which all routers 

75 in the AS can exchange routing tables. Often the AS may be a local area network (LAN) 
such as one found at a university, municipality, large corporation, or Internet Service 
Provider (ISP). An AS may further be comprised of computers, or hosts, connected to 
the AS such as H1-H3 for PAS I or H4-H5 for PAS2, respectively. An AS is normally 
connected to the public network by one or more border routers, here R 1 (for PAS ! ) or a 

80 firewall F'l (for PAS2) incorporating router functionality. 

|0O8] Border routers contain routing tables for other routers within the AS and 

for routers within the public network that are connected to the AS by a link, i.e. a 
communicative connection. In Fig. 1 , Rl is a border router for PAS! and it connects to 
the Internet using representative link LI. Routing tables act as road maps for routers on 

85 the network; in that they are used to ensure thai network traffic is forwarded through the 
appropriate links in route to a desired destination address. 

[009] Firewalls are typically installed between a local area network (LAN), or 

intranet, and the Internet, or public network. Firewalls act as gatekeeper's for an AS in 
that they allow certain packets in while excluding other packets. Firewalls may be 
90 implemented in routers or servers connected between an AS and the Internet, or they may 
function as standalone devices. Rule sets are used by firewalls to determine which 
packets will be allowed into their respective AS and which packets will be discarded. 
Since rides determine which packets get through the firewalls, only packets known to be 
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problematic can be stopped. Therefore, rale sets must be updated on a regular basis to 
95 provide protection against new threat characteristics. 

[001 0] Additions! protection for an AS may be obtained by supplementing border 

routers and firewalls with intrusion detection systems (IDSs). IDSs also use rule-based 
algorithms to determine if a given pattern of network traffic is abnormal The general 
premise used by an IDS is that malicious network traffic will have a different pattern 

100 from normal, or legitimate, network traffic. Using a rule set, an IDS monitors inbound 
traffic to an AS. When a suspicious pattern or event is detected, the IDS may take 
remedial action, or H can instruct a border router or firewall to modify operation to 
address the malicious traffic pattern. For example, remedial actions may include 
disabling the link carrying malicious traffic, discarding packets coming from a particular 

105 source address, or discarding packets addressed to a particular destination, hi Fig. 1 , 
IDS! is used to protect PAS1 and IDS2 is used in conjunction with Fl to protect PAS2, 
10011] Although border routers, firewalls, and IDSs can be used to help prevent 

'known packets from entering an AS, they are not well equipped for stopping unknown 
packets because they rely on rule-based look up tables containing signatures of known 

1 10 threats. In addition, border routers, firewalls, and IDSs generally are not well equipped 
for identifying the origin, or ingress location, of malicious packets, particularly when 
spoofing is employed. Even when spoofing is not used, the above-noted devices may not 
be able to determine the ingress point for packets because packets often traverse many 
Internet links and devices, such as routers, bridges, and switches, before arriving at an 

115 AS. Reliably tracing the path of a packet often requires information about each link 
traversed by a packet. To obtain this information, routing data must remain with the 
packet or, alternatively, each router, or device, on the path must store information about, 
or a copy of each packet traversing a network. With high-speed routers passing gigabits 
of data per second, storing full copies of packets is not practical. 

1 20 (0612] What, has been needed and what has not been available is a method for 

identifying the origin of malicious packets that can be implemented in an AS on the 
Internet and which addresses all shortcomings of prior art protection techniques. 
Embodiments of the present invention offer welcome solutions to these prior art 
protection problems. 
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SUMMARY OF THE INVENTION 
[O0J3j Embodiments of the present invention employ apparatus, system, 

computer program product and/or method for identifying an intrusion point of a 
malicious or target packet into a network More specifically, in a network component 
eperatively coupl e d to a network by at le ast on e link carrying multiple packets, a 
e^mf>ui e r ^ adabl & -si^ 

■pfeeesseg4e^fe6ess^«li9«wation about at. least one of the packet:;, -the -information being 
«se<k»&e&tate4ee^^ \ \ > i h , in a network 

including multiple hosts and multiple routers for facilitating transmissio n of packets on a 

net or] em o ej; mpj is employed for i termini rig tit j nut oi p 

malicious packet. An intrusion detection system detects die entry of a malicious packet 
in the network. "A4 * 9 s h^^ 

Ther e suhing hash valu e i s u s ed to form an index into a m e mory for storing infeetiatien 
e - eCT e sfKH*fc l h%te^ ^ 

received and the information is extracted from the query. The information in the query is 

intruding paok e t -has b ee n ■■■ ebs e F¥ e d-by-the-n « twf»Fk-^0mpfcme«t- - A source path isolation 

s olatcs the malicious packet and 
thereby determines the point of entry of the malicious packet. In a further embodiment of 
the system. Ore source path isolation server includes a means for generating a query 
message 1 1 ij i 1 - i nation about the malicious packet and a means for forwarding 
the query message to some of the routers located one hop away. In still a further 
embodiment of the system, certain of the routers include means for generating a bash 
value of the identification information about the malicious packet, a means for 
establishing a bit map of hash values repre$enMi.ve.of.packets.M\ing.pMsed.thrQtigh.the. 
respective router, and a means for comparing the hash value of the identification 
information '■ th las hyajues of packet s ha ngj esjj ni gh the respectiye router, 
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155 [001] fa^tol^Htsf* ; ^^^ 
0¥ e r-M4 e ast-» ^ 

compon e nt having memory and a proc e ssor configured to store information about at least 
eae-^f-^fr-paek^-ftBd-ii-^eeHd-fi e ^eFk . -e - omponcint, a tftt - g e t-f ftek- e t"B--d fr teet e d""A-t"l«aa 
one-ftf the mt^tiftl e -paekets is received over a link to obtain a feceived-ftaeteet-:-N&x-t T « 
160 hash value or digest Is determin e d ov e r at l e ast a portion of the r e ceived packet The hash 

44re44eHre4:w^ message identifying -a target .-paeket-afld 

^ S 4te4k%^ 

e ncounter e d. If the targ e t packet has b ee n e ncountered, th e first network component 

[002J fefr - v e fa - to 
■ pat4^»4H - w - a*4 ^ i^ 

m e mory and a proc e s s or; information about r e c e tved pack e ts is s tor e d and at least a 

170 fesfrjpaek«t43H 8 eee^ 

at least a portion of the first packet. I he hash value in used to identify a location in the 

fflemory ^nd a flag i s se t at th e l oca ti o 

faa s H3e - &M : redy"A"^eend 

in it. 44ils infern»Hon is n se d to d e t e mitn If ihe 

175 fe$i?aeke44iafrfe^ 

%e-t» e d4« - a-t e €hnk^ 
|003] I-n-sl41l-a^^^ 

packets ov e r at l e a s t on e link, the network including multip le de vices and a system, the 
system bei^ 

180 in the n et^ ¥Otl-v-"¥be--wstetn having a first intefl^e4ef-^ei¥k%€t4ea s t--mte-€d"tlie 
mnteplep a ek ^ te--^ 

subset of any r e ceived packets onto th e n e twork link. A bits coupl e s the first int e rface 
a-Rd seee-nd - int- e rfaee -to - allow communication. A memory is coupled to the - tra s -ftftd-tfoe 
«aem&iy4s-«sed4e-stoye information about received packets in a T^€inne - i-eadable foT-m : 
185 A proc e ssor is also coupled to th e bus and the memory, and the processor is used to 
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e xeeat e n i aaeteiB e -fea^ 

is-dgt e ffi«ne€f4^ ^ ^^ ^ A s e cond hash value 

a portion of a target packet. A first hash value is compared to th e s e cond hash valu e and 
ft-f«ply%-«HKte--kb-fesp»Rse-ie--the comparison. 

190 |00J4] In a i i j ^ 1 1 < menti i i tv\ I tying a plurality of 

packets where at least one of the packets is a target packet, the network inc ludes at least 
one network ni tern a detection de\iee and a sen c t t i rmimng. the 

point of entry of a targ et: packet into the net work. The tag paci \ s ece ved trom the 
detection da « e at the serve A que ry i ;nt to a fi rst one of the network 

195 components where the query message identifies the targ et packet. A repl y containing 
infoimation about the target pa cket f r om the first, network component is received. The 
teph »s puiLi « __ at i information coma ned 1 < ion. And., the information is used 
in a manner that allows the entry point of the target paiku to nku » .te h be detci mined 
1'OO.IS] In vet a further aspect ot the invention, in a network carrying a .plurality of 

200 packets, a computer-readable data signal is embodied in a transmission medium used to 
idgnlify.M.i.n^ 

network component having a memory storing representations of the plurality of packets. 

namely the data signal. A header portion includes an address of the network component. 

And, a body portion includes at least a ponton of the target packet, the body portion 
205 being compared to corresponding representations w here a match between a portion of the 

target packet and one of the representations indicates that the network component 
■cred the target packet. 

1 00 .16] In stilt a further aspect of the invention , in a network carrying a plurality 

of packets, the netw ork i ncludes a network component having a memory storing first 
210 mtoimatioii abou t a I te plurality of pock, i M ^ed through the network 

component. The network component further includes a processor for computing a first 

hash vahie of a target packet and a second hash value of a member of the subset of the 

plurality of packets. The memory also .stores.. second .information .about. art intrusion 
j veket m the netwoi k <\ data structure stored in the memory 
215 included vl fr-.t-.,. it^ ed by a source padr^ 

■'s g 0 m ^ the i vjruj ion locati <i i l i in d ,T stn cm e_ A_n tv ork c< mj ) lenj 
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identification attribute corresponds to a location of the network component A target 

packet attribute uniqueK j i b nget pad m % ck all 

a^ '.'cuued \s ith at least one of the members and heirs" a^ -o -.ne J u 'th the netwo r k 
220 component identification attribute ideiu i*\ ■ , it the reply 

ffjjckgf j»dicating that the me^^ 
second hash value. 

[001 7| It is advantageous to employ embodimen ts of the presen t invention to 

dagHaate protect data networks. A further advantage of the invention is the elimination of 

225 problems caused by undetected malicious packets in a network. A still further advantage 
of the invention is that it detects malicious packets without requiring special purpose 
network equipment. Furthermore, the present invention communicates information about 
malicious packets to other network devices thus enhancing network security. Another 
advantage of the invention is that ia - feB^t^ 

230 uses stored thus foci I hating co s t e ff e ctiv e' d e ployment ' of d i sel o s ed 

ei-Bhodimenfeinformation about packets to facilitate detecting malicious packets. 
[0018} It is thus [[anjj ajetjeraj object, of the present invention to provide 

improved packet networks. 

|001<>] It is another object of the present invention to eliminate [[the Jjproblems 

235 caused by malicious packets in a network. 

[0020] It is a further object of the present invention to identify malicious packets 

to facilitate identifying their intrusion locations into the network. 

[0021 ] It is [[yet ]]a further object of the present invention to quickly identify 

[[the JJingress points of malicious packets when distributed attacks are launched against a 
240 network. 

[004] It is [[still JJyet a further object of the present invention to efficiently 
[ [store jj use stored information about packets traversing a link in a network. 
it-i s^ tiikyeta4\irth 

245 [0023| Further objects and advantages of the disclosed enibodimento B fjggBS 

Invention will become more apparent after reference to the detailed description of 
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exemplary embodiments thereof taken in conjunction with the accompanying drawings in 
which; 

250 BRIEF DESCRIPTION OF THE DRAWINGS 

[0024] Fig . 1 is a block di agram of a prior art network compri sing autonomous 

systems; 

[01)25 j Fig. 2 is a block diagram of an exemplary embodiment of the present 

255 invention operating in conjunction with an Internet network; 

[0026] Fig. 3 is a schematic diagram of an autonomous system coupled to a 

plurality of external networks; 

260 [0027] Fig. 4 is a flowchart illustrating an exemplary method for use with a 

source path isolation server; 

[005 1 Fig. 5 is a flowchart illustrating on exemplary method for use with n 

s ourc e path i solati on rooter- 

265 

[0028] Fig. 6 io a schematic diagram of an exemplary data structure for storing 

information «seafele-in t ^ >n j t H m -i on~ w-it h a source path isolation server for use in 
performing source path isolation techniques: and 

270 [0029] Fig. Q7]]6 is a block diagram of a general-purpose computer 

configurable for practicing exemplary embodiments or the invention. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT 
Figure 2 

275 [00301 A preferred embodiment uses a server and one or more specially 

configured network components, or devices, such as a router, within an autonomous 
system (AS) to determine the ingress point, or location, for a malicious packet (MP I). 
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Fig, 2 illustrates an embodiment that may be used with an Internet Protocol network. 
More particularly, Fig. 2 is broken into three genera! areas enclosed within borders - -Tfee 

280 gen e ral areas within Fig. 2 a»e lomi tf iied 5 1 »n media, sue It as 

links, carrying data traffic across the network, conn-- cting t e genera! areas . Links[[ can]] 
serve as a tr ansmi .soon m edia .for da ta a \j n\ be comprised 

of wire, o ptical fibe r optic cable , radio frequency (RF) transponders, or the like. 
10031} The rightmost portion of Fig- 2 denotes an AS, shown as AS.1 , enhanced 

285 by the addition of a source pa th isolation server (SS 1 ) and network components., here 
routers* modified to work as source path isolation routers (SRs), denoted by SR 1.4-1 7, 
respectively. Also included within AS1 is a detection device, here an intrusion detection 
system (IDS) denoted as IDS 1 4 and d e stinatio^e - onipe ^ 

computers F31-H3. IDS1 may take the form of a commercially available IDS, or 
290 alternatively it may be developed specifically for participating in source path isolation 
systems and methods. 1 DSs and firewalls are well known in the art and will not be 
described in detail herein. An informative source of information on IDS and firewall 
functionality thai may be used with the disclosed embodiments can be found in Firewalls 
and Internet Security: Repelling, the Wily Hacker, by William R. Cheswick and Steven 
295 M. Bellowm, Addison- Wesley (1994). 

| 0032J SS 1 may be comprised of a d e vioe ouch an a g eneral-purpose computer, or 

server, operatively coupled to the network of ASl and executing machine-readable code 
enabling it to perform source path isolation in conjunction with SRI 4- 17 and IDS !. . 
While SS I and IDS! are shown as separate devices in Fig. 2, it is noted that they can be 
300 combined into a single unit performing both intrusion detection and source path isolation. 
SR 14- 17. may be comprised of commercially available routers, or si mi lar devices such as 

! c s bridge-* 01 the like employ ing software and hardware enabling them to 
participate in source path isolation. Additional ^eteft-fegafdiHg-tfee^efa^e^-elW^R-^ 
de^eFibedr-latef-hereift: 

305 |©033] The centra! portion of Fig. 2 represents the public network, shown as FN 1 , 

carrying [[data ]]traffic between the autonomous systems, namely IAS I, and ASl, AS2 
and AS3. PN1 comprises routers R2-R6, links (shown as lines) operatively coupling the 
routers making up PN J , and links attaching to ASs coupled to PN1. PN 1 may also 
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comprise computers external to an AS (not shown). In the foregoing discussion, routers 

310 that have not been modified to act as source path isolation routers (SRs) are denoted as 
Rx, such as those located in FN 1, where x is a number such as 2, 3, 4. etc., 
[6034] T he l ower port ion of Fig. 2 includes other autonomous systems. AS2 and 

AS3 that may be operatively connected to PN1. AS2 and AS3 may employ source path 
isolation apparatus and methods, or alternatively, they may be prior art autonomous 

315 systems (PAS). 

[0035) The leftmost portion of fig. 2 shows an autonomous system (IAS 1 ) used 

by an intruder to launch an attack on AS J . 1AS1 contains an IDS, shown as IDS2, 
operatively coupled to three host computers H4, H5 and 1 1 using links. In Fig. 2, O lias 
been configured such that it places a malicious packet (MPI ) onto IAS1 for transmission 

320 to AS i via PN I . While Fig. 2 illustrates a aouroo, hore a c ompater[[,]] configured to 

place MPI onto the network, routers, switches, gateways and other hardware capable of 
placing machine-readable data onto a network may be used as sourc e s: in place of or in 
conjunction with such computer. When a device has been configured to inject a 
nralic i ou »- p a e - k«t g n.MF.I onto a network, it is referred to as an intruder or tun m ig 

325 device . 

[0036] To launch an attack, an intruder generates malicious data traffic and places 

it onto a link for transmission to one or mote destination devices having respective 
destination addresses. In Fig. 2, the heavy Iines ; d e neting Mnks; are used to indicate the 
path taken by MPI. namely U to 1DS2, IDS2-R6, R6-R3, R3-R2, R.2-SR 15, SR I5-SR 16, 
330 and SRI 6- IDS I (where hyphenation implies operative coupling between network 

components). The thick dashed link from IDS1-H3 denotes the intended path to the 
d e stination, or target, tar geted device H3. 

[0037] Detection and source path isolation of M PI may be accomplished as 

follows. Detection device, here I DSL identifies MPI using known methods. After 
335 detecting MPI, IDS I netifiesgetu \ • ■■ Nation packet, or triggering event and 

sends it to SSI thus notifying SS 1 that a malicious packet has been detected within AS I . 
The notification packet may include MPI or portions thereof along with other 
information useful for SSI to begin source path isolation. Examples of information that 
may be sent from IDSl to SSI along with MPI are time-of-arrival, encapsulation 
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340 information, link information, and the like. _When MP I (or fraction thereof) has been 
identified and forwarded to SSI it is referred to as a target packet (TP1) because it 
becomes the target of the source path isolation method further described herein. 
[0038] SS 1 may then generate a query message (QM1) containing TP L a portion 

thereof, or a .representation of ^ After generating QM I 

345 containing identification information about TP!., SSI sends it to some, or all 

participating routers. Accordingl y, SSI may send Q M1 to participating routers located 
one hop away; however the disclose* in cnuon is not limited ■ ps lot 
example, SR.I6 is one hop away from SSI, whereas SRI 4, SRI 5 and SRI 7 are two hops 
away from SSI and one hop away from SR 1 6, respectively. When SR 1 6 receives QM 1 

350 from SSI, SRI 6 determines if TP I has been seen. This determination is made by hashing 
-FR^ - and comparing th e- * e su l fe 

with a databa : coj taming signatures of other characteristics representative of packets 
having pr e viously passed through SRI 6. Typically. SRI 6 is considered to have 
observed, or encountered, a packet when the packet is passed from one otTf the]]jts input 

355 ports to one of [ jthejj jts output ports such as would be done when SRI 6 forwards?-** 
propagates, a packet during normal operation within a network. 
J0039] To determine if a packet has been observed, SR i 6 fust stores a 

representation of each packet it forwards. Then SRI 6 compares the stored representation 
to the information about TP1 contained in QUI . Typically, a representation of a packet 

360 passed through SR 1 6 will not be a copy of the entire packet, but rather it will be 

comprised of a portion of the packet or some unique value representative of the packet. 
Since modern routers can pass gigabits of data per second, storing complete packets is 
not practical because memories would hav e to b e become prohibitively large. In contrast, 
storing a value representative of the contents of a packet uses memory in a [[much Jjmore 

365 efficient manner. By way of example, if incoming packets range in size from 256 bits to 
1000 bits, a fixed width number may be computed across the bits making up a packet in a 
manner that allows the entire packet to be uniquely identified. A hash value, or hash 
digest, is an evuiij' ie of such a fixed width number. To further illustrate the use of 
representations, if a 32-bit hash value, or digestj} , may he]] is computed across each 

370 packetff. Then,]] , then the digest may be stored m memory or , alternatively, the digest 
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may be used as a« index, or address, into memory. 1 Fsing 1 oi an index deri\ ed 

therefrom, results in efficient use of memory while still allowing identification of e ach 
packet passm. i < i.j..- ; t vh > to b e identified . The disclosed invention works with any 
storage scheme that saves information about each packet in a space efficient fashion, that 

575 cat d; Oniti eh determine if a packet has not been observed, and that will respond 
positively (i.e. in a predictable way) when a packet, has been observed. Although the 
invention works with virtually any technique for deriving representations of packets, for 
brevity, the remaining discussion will use hash digests as exemplary representations of 
packets having passed through a participating router. 

380 |0040] mf ll Retivming to the discu ssion of Fig. 2. if SRI 6 has not observed TPL 

it may so inform SSI . But if SRI 6 has a hash matching TP! , it may send a response to 
SS I indicating that the packet, was observed by, or at, SR16. In addition, SR16 may 
forward QM1 to adjacent routers I hop away. In Fig. 2, SRI 6 sends QM1 to SRI 4, SRI 5 
and SRI 7. Then, SR 14, 1 5 and 17 determine if they have seen TP I and notify SSI 

385 accordingly. In this fashion, the query message/reply process is forwarded to virtually all 
SRs within an AS on a hop-by-hop basis. 

(0041 j fa Fig. 2, routers SRI 4, SRI 5 and SRI 7 are border routers for AS 1, 

namely they are the routers that contain routing tables for routers outside AST If routers 
external to AS.1 have not been configured to operate as SRs. then the query 

390 message/reply process stops at SRI 4-1 7[[. But]] ; however, if the public network routers 
are configured to act as SRs then the query message/reply process may continue until, the 
SR closest to the ingress point of TP1 is reached. When the SR closest to the ingress 
point is found, it can be instructed to disconnect the link used by the intruder or it can be 
instructed to drop packets originating from the intruder's Internet Protocol (IP) address 

395 on a particular link, or based on other identifying information. 

(0042 ] Still referring to Fig. 2 and the route taken by MP! , if the routers making 

up PN i are not participating as [[SR 'sll SRs. then SR ! 5 would be instructed to exclude 
TPs. SRI 5 excludes a TP, present at an input port, by preventing it from passing to an 
output port. In contrast, if the routers making up PN 1 were participating as SRs then R6 

400 could be instructed to exclude TPs present at its input port. 
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|0043j The process used to perform source path, isolation in Fig, 2 is referred to as 

an inward-out technique. Alter being triggered by an IDS, an inward-out technique 
begins its queries from a generally central portion of an AS. The inward-out technique 
then employs QMs that hop outward from the central portion of the AS toward the border 
405 routers comprised therein. 

Figure 3 

[0041] Fig. 3 illustrates an autonomous system (AS), 300, employing border 

routers denoted generally as B connected to external networks EN1-EN7, other routers 
within 300 connected to the border routers generally denoted as A, and a source path 

410 isolation server denoted as SS. AS 300 may also include additional routers (not shown) 
located betw een SS and border routers B, An inward-out solution begins with SS at the 
center of Fig. 3 and works outward one hop at a time until the border routers, B, are 
reached. For Fig, 3, the routers labeled A are queried on the first hop and the border 
routers, B, are queried on a second, or subsequent, hop. 

415 [0044] Since the locations of border routers are known within AS 300, an 

ontward-in solution may also be employed. With an outward- in solution, SS first queries 
the b order routers, B.. and they in turn query the routers labeled A. As can be seen from 
Fig. 3, an outward-in solution gets progressively closer to the center of AS 300. The 
disclosed technique [[may] jean be used on networks containing virtually any number of 

420 participating routers. While inward-out and outward~in techniques have been herein 

described, the disclosed techniques are not limited to any particular types of solution or 
localization algorithms. Furthermore, SS may send queries to participating routers 
located ■HHH : e-than-«tte4t^p-away--et ; t8bMng"virtual.ly an-v- t-vp eanv where in the network so 
that many types of source path isolation techniqu e t o techniques can be employed. Thus it 

425 can be seen that the disclosed technique is very scalable and flexible. 

|0045] Further detail of the operation of a source path isolation server (SS) and a 

source path isolation router (SR) are provided hereinbelovv. 

Figure 4 

430 EXEMPLARY METHOD FOR SOURCE PATH ISOLATION SERVER 
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|0046j Fig. 4 illustrates an exemplary method for accomplishing source path 

isolation. The method begins when SSI receives [[a ]}TPl from IDS! operating within 
AS 1 (step 402), 

(0047) After receiving TP 1, SSI may generate QMI comprising TP I and any 

435 additional information desirable for facilitating communication with participating routers 
(SRs) ( step 404). Examples of additional information that may be included in QM I are, 
but are not limited to. destination addresses for participating routers, passwords required 
for querying a router, encryption keying information, time-to-Hve (TIL) fields, a hash 
digest of TPL information for reconfiguring routers, and the like. SSI may then 
440 send[[s]] QM I to SRs located at least o ne hop away (step 406). SR may then process 
QMI fo h whuu TP 

stored in local memory , u Iil the s > itd hash v glues ukn u) p ■ 1 e ts haxmg ptcxiouslx 
passed through SR. 

[0048] After processing QMI , an SR. may send a reply to SSI (step 408). The 

445 response may indicate that a queried router has seen TP! , or alternatively, that it has not 
(step 4 1.0). It is important to observe that the two answers are not equal in their degree 
of certainty. If SR does not have a hash matching TP1, SR has definitively not seen TPL 
However, if SR has a matching hash, then SR has seen TP I or a. packet that has the same 
hash as TP! . When two different packets, having different contents, hash to the same 

450 value it is referred to as a hash collision. 

(0049] If a queried SR has seen TPL a reply and identification (ID) information, 

for the respective SR is associated as active path data (step 414). Alternatively, if an SR 
has not seen TP1 , the reply is associated as inactive path data (step 412). Replies 
received from queried SRs are used to build a source path trace of the potential possible 

455 paths taken by TP1 m ■ it ■ HVive-i Sw ■ or ■ propagate^ ■ a cu>v. ■ ■ & ■ ■ throu gh the network using known 
methods (step 41 6), SS 1 may attempt to build a trace with- e a^h-r e e^ived-i^pefts e — SSI 
may then attempt i tot 1 PI (step 418 ). If SS 1 is unable t o 

determine the ingress point [[.fo.r]]of TP1 (st e p 418). If SS I has not comput e d the ingress 
point, the ^ subsequent responses from participating routers located an additional hop 

460 away are processed by executing steps 408-41 8 agai n (step 424) . 
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[6050] Exaj e icing techniques fha >e employed with 

embodinit Ms <.it> v ! < >sed herein are, but are net b r > d to >readth-t1i st seat ;h < iegth- 

first search, in a Kith- first s arc . _alj * >■ - inaa area are querie d to dete rmine which 
SRs may have observed a target packet. Then, one or mo t < raphs * >n n ng nodes, are 

465 genet a ted fr< \ u o,es\ed h> SM \\ he;e the nodes c i c ttjons that 

TP I may have passed. Any graphs containing a node where TP I was observed are 
associated as active, or candida te., paths, i.e. paths that IP! nu n k/ . j i. ■ e >-,ed \\ tth a 
depth- first search, only SRs adjacent to a location where TPS was observed are queried. 
SRs issuing a positive reply are treated as starting points for candidate graphs because 

470 they have observed TP 3 . Next, all SRs adjacent to those that resp onded with a positive 
reply are queried. The process of mo\ t _ i i me hop at a 

time is referred to as a round. Th?-, p. c :ss is rej e Me d until ail participating routers have 
been queried or all SRs in a round respond with a negative reply indicating that they have 
not observed TPj . When a negative reply is received, it is aw y . tcti ye path 

475 data. 

[8051] When SS 1 has determined an ingress point for TPi, it may send a message 

to IDS! indicating that a solution has been found (step 420). Often it will be desirable to 
have the participating router closest to the ingress point close off the ingress path used by 
TP! . As such, SS 1 may send a message to the respective participating router instructing 

480 it to close off the ingress pads using known techniques (step 422). SSI may also archive 
copi es ^ ' path sokuions-g^ ^« ?e d , data sent, data received, and the like either locally or 
remotely. Furthermore, SSI may communicate information about source path isolation 
attempts to devices at remote locations coupled to a network. For example, SSI may 
communicate information to a network operations center (NOC), a redundant source path 

485 isolation server, or to a data analysis facility for post processing. 

|0052 ] Here it is noted that as SSI attempts to build a trace of the path taken by 

TP! , sevem faiuStiple paths may emerge as a result of hash collisions occurring in[[ the]] 
participating routers. When [[hash jjeolHsions occur, they act as false positives in the 
sense that SSI interprets the collision as an indication that a desired TP! has been 

490 observed. Fortunately the occurrences of hash collisions can be mitiga ted. One 

mechanism for reducing hash collisions is to compute large hash values over the packets 
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since the chances of collisions rise as the number of bits comprising the hash value 
decreases. Another mechanism for reducing collisions is to control the density of the 
has h tables in the memories of participating routers. That is, rather than computing a 

495 single hash value and setting a single bit for an observed packet, a plurality of hash 

values are computed for each observed packet using several unique hash functions. This 
produces a corresponding number of unique hash values for each observed packet. While 
this approach this the router's hash, table at a faster rate, the reduction in the number of 
hash collisions makes the tradeoff worthwhile in many instances. For exam.pl e, B 1 o o m 

500 F41fef»4 * »y4^ ^ 

reduce the numb e r of collisions and h e nce enhance th e accuracy of traced paths. 
The - refe-^ 

505 

EXEMPLAR 
{084^ To^me^m^ 

modified so that it can determine a-Kaah value over the immutable portion of each packet 
r e c e iv e d a nd/or fo rwa r de d ; A r o ut e r ferwa ^^ ^ 
510 pfgse*34k^ n4^ 
Modifying a ^ 

vah^es-^e-^e a di-ly-av-ai-labl^ 
515 software curr e ntly us e d in rout e rs without unduly r e ducing p e rformanc e of th e 

forwarding ' engines within the ■ routers: In-erder - te - mahe - use 

participating router, SR, may store information in a-imn f Kft'4aei4f^ 
<jMf4 fr €eeeived4fem-SS4- 

numb e rs of pack e ts very quickly, att e mpting to stor e e v e n a byte per data packet would 
520 - r e quir e -v e ry large amounts of high-speed memory. Employing hash vab es - s igBifieantly 
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such as a data packet, and processing it to obtain a num e rical value that is uniqu e for the 
525 given inpat"dftte:-"The-}Ht&h-vakey-ftls€>-f«fefT-e^-to-as a message digest or hash ingest-isa 
fk e d-kngtfo- whereas the input data may vary in size. Since the hash digest- B-iH^kfH& fa 
e ach input block of data, it s e rv e s as a signature for th e data over which it was comput e d. 

fixe^a^fert^a^'ftfae-^etBfittted over their length. Furthermore, the hash v&fee-tnay-be 
530 eem f Htf e t 4 4 * v s^ ^ ^ 

alternativ e ly it can be computed ov e r a portion of input data. Wh e n us e d, a hash value 
es se ntially acte ^ 

535 should provid e a good distr i bu tiorc of valu e s ov e r a vari e ty of data inputs in ord e r -to 

with a paiticuiar input. Suitable hash functions ore readily known in the att and will not 

li?e-feet* s sed in detail h e r e in - ; Per e x a mp le; h a ??& fa ^ 
540 u se d in coftjittttHiea-wM^l^^ 

N&iw&Fk Seeiimy Pw?^ An 

e wn t > le- #^ 

R odu nd onc y Chock (CR C). 

|W44] '-I-o-fei#ter--^ 

545 function. By way of e xampl e , if ther e ar e two adjac e nt rout e r s , SRI 5 and SRI 6, coupled 

together iffid-eaehe^ 

at^y-a-tm-a-fietwork . N ow assume, TPI passes c^ly^hf^^S-R^raad-^-Pa-ya s aea 
through S R 16 before arriving a t SRI 5. If TPi a nd TP2 have a hash collision at SR15, 
th e n th e tracing algorithm will include SRI 6 in the traced path because SRI6 would 
550 i«eoFr-ee:tly--fepe-rt" : l"P-2'9 hash value as a potential signal that TPI had-pass e d-feough 

SR.l-6-b e eatise of the identical hash values of TPI and TP2. How e ve^-tf-SR-^-empl^-a 
different ha^'^ifl8etk>» > -feen--TPi--and-TP2--wiH liave different hosh-vtHues-at-SRIfr-and 



18 



In re, U.S. 1 0/654,77 1 Changes made to 09/88 1,145 to create 

CIPapp 09/88 i, 074 

tes-SR44^¥eaM- wt4>e included in the tracing -path - even tihoitgb^e&tfe»efreee«yedl 
b e tw e en TP1 and TP2 at SRI 5. 

555 1 0045 j Genera l ly pack e ts ha v e an immutable portion and a mutable portion. 

•Tfeese-«ame&-^-«sed-te--helj>-djstfflgw^»-between the portions of the paeket-tfaat-n - my 
chaflg e -as-it is routed through the network and the portion, or potttons-,"^eiHat«tftg"i«tec-tv 
or unchanged. Immutable is us e d to d e scrib e th e portions of a packet that do not change 
as-a-fene-to^^ 

560 d^f-{fe e 54fee-^t^>t^-^f-aim4et that change as a function of the packet ^atlnfa - oagh 

immutable wh e reas the h e ader portion is considered to be mutabl e . A l though th e header 
p8r4ien-ffiay--W ^ 

565 peme» -H df : 4 he ^ 

th e -packet trav e rses a n e twork; 

p « e4 e te4r « ¥ e fsi^ 

requirements associated with retaining bosh values and other information associated 
570 th e r e with: Q n e s«c b4 e e h n i qn e^ 
s tofiag& as k - vake ^ r - "^ 
lhgOf4 e roi-^ bits or tnor e- i n l e ngth- 

575 addfes s -€€mespen.dmg--fe>-th. e -to 

indicating that a particular hash value, and henc e a particular data pack e t, has been seen 
by-thereuter; Pef-esaretpie; usi«g ' # ' ^ 

pes s &le-iadex values into a bit array. Storing one bit per paeket-mher-than-stefiHg-d^ 
fmefcet4t s et£-wyeh-e^ 
580 arrays ate describ e d by way of exampl e , it will be obvious to thos e skil led in the rel e vant 
a-rty that- ether storag e techniques may be employed with out departing from -the-sfi i fit-o - f 
the invention. 
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PM7j— — — 
pari^eipati^ 

585 possibility of overwriting an existing index valu e increases. T he risk of overwriting an 
tedex"V^«e«i^-be-f«fe^^ flushed - to-otfe e f-stofage- t ia e eKft 
stieh-a - s^Mr^gr fc &t^ 

this, a time-table may be establish e d for flushing th e bit array, wh e rein such time-table 
590 avaii - abie-fast memory, and the like. If desired, the flushing cyc le can be tedt^etf 4>y 
this approach reduces th e flushing cycl e , it incr e as e s th e possibility that a target packet 
Figure 5 

595 {#&4&j F i gr~^p* ese »t»*^^ 

di s e^s s ien utiliz e s a sing le .SR. nam e ly SRI . it wi l l b e r e adily appar e nt to thos e - skiil e din 

essentially simultaneously. SRI rocoivos QM1 from SSI within ASi (mop 502). After 
receiving QM I , SRI may determine if a time- tr> live (Til,) field in the; query is expired 
600 (step 5<M). If a TTL field is us e d, QM I i 3 discard e d if th e TTL fi e ld ia expired (step 
§04):"A4 - T4"44 el d4s4^ 

e nsurmgthirt SR I ie s ponds only to r e l e vantr er - tim e tyr ^u e r ie s: Ii^ additioar etBpleyirtg 

605 If the TTL field is not expired, SRI det e rmines ii'TP) has b e ea 

transformed (step 508). TP1 is transform e d wh e n it und e rgoes a transformation in ■ -route 
tteoegh a-netwoFk ata-h ' th 

pa - efeet-ha s -a-different value from that of the noii-traasftmaed^ 
may4r a ve4n*dergene- ^ 
610 to mak e identification of TP 3 and/or its source mor e difficult. If TP I has be e n 

tf-ansfoi-Ha e dvS-R-l-er e fttes a new query 1 packet (QM2) containing a hash vaiue-forthe 
imBiutehS e-portie - ft-ef the transformed packet (step 5 1 O^-Wfeere^-^k^gaasforHMtfie^ 
has occurr e d, the -m e thod- determines if the ha s h value computed matches an index valu e 
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kt4be4»^ftBffty-(step 5 12). As pfevk^ly-Hote4"tPde«-vttlttea-coatea«6^^e%tt«i^ 
6 i 5 identi#-hasl*-¥afo^ 

D e pending on available memory in Sill , th e hash valu e may be compared to bit array 
tadkes-f^teved-ettltef-feem-diek- or from vo l atile memory. 

| : 00S0 : j M-theha s h value does not match an. index value. SRI does - t t et-fef ward 

QM i (st e p 5 16), but inst e ad may s e nd a negative r e ply to SSI (st e p 5 18). If a qu e ried SR 
620 de te fntm e s--d>at--¥-P--l--has been transfefmedyt^ 

QM3r*a^^e-ft4de44e4be-l»aggage portion of QM 1 (step 5 1 4), or -aiteraativdy-ga»-o e 
*fe e d4e - €r ^ i *e ^^ 

pr e f e rably forward e d to ail interfac e s e xcluding th e one that QM 1 was r e c e ived on (step 

Aft e r forwarding th e m es sag e rSRl s eMd^-»-po&ittw-f e ply--to--^S-1 «K&3ft*i«g-&aHh e 

625 packet has b ee n ob ao rv e d (at o p 522). Th e r e ply may co nta in th e address of SRI, 

QM2 7 that hav e pas se d through SR I v 

630 Figur e 6 

EXEMPLARY DATA STRUCTURE FOR STORING f f PACKET1 1 TRACE 
INFORMATION 

fOflSlj Fig. [[6JJ5 illustrates an exemplary data 8tf«gtwe{M^>tefmg4«l^a^e» 

635 g feown-#»Rf l- j — R ( n) t- ^ 

fee -structure 500 s tored in -volat.d e -i>t : -non--¥elatile -a database (not shown) in a m emory? 
Since fast, or volatil e , memory is e xp e nsiv e , it may be desirabl e to store incoming data to 
fest-memeryleraspe<;i 

n^^f»iftg--data"rate-.""Otoi the time period will be chosen st*efe^at4t-e«ds-wfce» on a 
640 seleesedfeeord s igei ^ ^ 

costly disk storage. Upon flushing a r e cord from memory, a new record is opened and 
infoH^atton-abont ineeming data is stored. The flushing and opening of reeefds-eatrb e 

nve <M- - ecafi Mlu - A e d t e cords, it may b e desirable to time stamp r e cords when they 
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inbeth-vote^ fa4%r-£ r R- ( fo)4s^ 

such as RAM, and records R(2) ■■ R(n) are -stor e d to disk or oth e r storage device. 

10052] A s previou sly di sc l ose d herein, a hash value is preferably det er min e d ov e r 

ajft-immtttaye-p^itieft-ef-F-PI. when it passer , through SRI and the-te^thig-faa^h-va-kie-ia 
used as an ■ -index valu e , or -ad-dr e ss, into a memory. Th e ind e x value is itsed to facilitate 
ihe ^ Bfag e -ef^ 

^e^ftdex-vghtes-aee^MHasmed by HO) ■ R n) w here n is the last entry location in 

will be determin e d by the size of th e hash valu e used, for exampl e 32, 64 or 128 bits, it 

isdesira^ 

vwrf- ■ Abe - ri^ 

yefrbeet* observed: 

confirm thai a particular TP1 has either boon "seen" or "not-seon". If a hash vatoc is 
eompttted-fe fffe e 

e ntry-wife 

&K l ieate s 4bajHfr^^ not been seen-. 

(0053] Add i foemt^^ 

da^ a l»l e -'ef- ^ ^d;-4o4\trtbef--a-id--w^b. source path isolation ferf : Mr-^e ^ feaj^l e r g 
"tim e " parameter can be associat e d with each comput e d ha s h valu e . If used, "time"- will 

normally-repr^^ was-seen-hy-SRl-i AdditienaMy r a 

"link id" parameter ca n server. Data structure 500 stores information used in conjunction 
with : performing source path isolation of a target packet. Whiie Fig. 5 illustrates one data 
structure, it will be obvious to those ski lled in the relevan t arts that a plurality of data 
structures may be employed and that the data structures may racmde additional 
pgygUgMs.and take on difj eteai 1- t, i | 'I e evewpiai} data sliuuuic 

discussed herein. 
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J00S4J Data structure 500 is comprised of a record R(l) containing attributes, or 

parameters, having data associated therewith, in the upper left portion of Fig. 5 are three 
parameter a ciated h ih en tit -. <<-rd R( 1 s namely a unco; ; ! i i Mobute, shown 
as Target ID, a time attribute, shown as Time, and a source attribute, shown as Source. 

680 These attribul es u >gethei sea > < l§.s aJiand i.e Jo? ..R( j. ) to fadjiu ite. : tot . < g eu t tc , and recall 
from, a machine-readable memory (not shown). Here Target IP is associated with 
unique Jnfbn • a - , r ated wuh a particular target packet (TP) received from a 
detection device such as an IDS or firewall. Time may be used to identify either the time 
at which TP was received at an SS, the time that TP was received at. a detection device. 

685 or the time that R( I ) was opened. Source may be us ed to identify the link that TP was 
t d 1 1 ijl ^* £ 1 I rv|c , or alt r. a ^ > n e naj > 1 to m uejs 
len] he del ion device th forward, d TP to SS. 
(0055] Within 300 are exemplary column headings indicating still other attributes 

that ma y be used to facilitate source path isolation of TP. For example, a network 

690 component identification attribute, shown as node ID, may be used to identify particular 
nodes, wch^ 

que tied S 1 1 .. . may be used to identify the particular link upon which a TP! 

arr i v e d; Idem i fy iug th e li nk may b e of b e n e fi t whe e Sfe4 feaHes-^-tHgyess-patfe-fer 

TPjv - "A"" S ta^ i» " - pa - ra - m efe^H£aa4>^ 
695 andfieaith; It will b e appar e nt to these sk i ll e d inth e a^ 

■B w e ntKm on which TP w as observed. A reply packet attribute, shown as Node Response, 
may be used to indicate if a queried node has observed TP. Node time may indicate the 
time, preferably using some common reference, at which a respective node observed TP. 

700 Time is use ^ vrtg how long TP has been in th e d and performing 

comparisons with fields such as time-to-l ive i TTLr The attribute Transformed is used to 
track variants of TP in th e event u has undergone a transformation. If TP has been 
transformedjt may be useful to have multiple entries associated the respective TP. For 
example in Fig. 5, node 04 has two entries for tracing an untxansfbrmed and a 

705 trans >> v- 1 . . ; Nion oi 1 P Mam-. ma> he tweri iu nicaauu net\s<a ' lh a .o uated with 

queried nodes. For example- a status of "ON" may indicate that a link is still active, i.e. 
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carrying data O tas beg cabled to 

exclude d ! traffic 

[0056] Fie. 5 illustrates one exemplary emhvd.n mt of a data structure thai may 

710 be used for facilitating source path isolation: however, variations of the data struc ture 

of the invention. For example, t'u \ ns "YES/NO" an I \ used in conjunction 

with node scs po ^ fraj .formed, md status ma^ 1 de <t 'i 'c ^ hen con\ey?% 
information to an operator; however, flags such as I or 0 may also be used to indicate the 

7 1 5 status of various attributes. In addition, a plurality of records may be generated when 
performing source path isolation. Additionally, other c olumn entries may be used in 
conjunction with, or in place of, those shown in Fiji. 5. For example, it may be desirable 
to associate the hash value, or alternatively, the contents of TP with each record. It may 
also be desirable to rune a > d a> > en tec o ith each target packet encountered or, 

720 alter na tively, with each detection device employed within a network. And, it may be 
still other data structures or records as soc iated with source path 
M>lutioMihaihaye b^ 



Figure [[7J]6 

725 EXEMPLARY SYS TEM FOR PERFORMING METHOD 

[00571 FIG. [[7JJ6 illustrates a system fi 72011620 comprising a general-purpose 

computer that, can be configured to practice disclosed embodiments. System [j720]]620 
executes machine-readable code to perform the methods heretofore disclosed and[[ it]] 
includes a processor 1170211602, main memory [[704JJ604, read only memory (ROM) 

730 ff706Tj606. storage device [ [ 70S]]608 ? bus [[7 1 0]]610, display [[73 211 612. keyboard 
[[71411614, cursor control [[716]]6.16, and communication interface [|718]]618. 
[0058] Processor [[702]]602 may be any type of conventional processing device 

that interprets and executes instructions. Main memory [|704]]604 may be a random 
access memory (RAM) or a similar dynamic storage device. Main memory f[704]]604 

735 stores information and instructions to be executed by processor f [702.1 1602. Main 
memory [{704JJ604 may also be used for storing temporary variables or other 
intermediate i h n it ion during execution oi instructions by processor ([702.]]602. 
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ROM [[706jj606 stores static information and instructions for processor [[7Q2.]j602. It 
will be appreciated that ROM f|706] ]606 may be replaced with some other type of static 

740 storage device. Storage device [[7081 1608 . also referred to as data storage device, may 
include any type of magnetic or optical media and their corresponding interfaces and 
operational hardware. Storage device [[708]j608 stores information and instructions for 
use by processor [£702.11 602. Bus [[7101 16 10 includes a set of hardware lines 
(conductors, optical fibers, or the like) that allow for data transfer among the components 

745 of system [[720.j]620. 

[0059] Display device [[7 1 2^612 may be a cathode ray tube (CRT), liquid crystal 
display (LCD) or the like, for displaying information in an operator or machine-readable 
form. ^ h e -k e vheard 7 1 4 Keyboard 6 I 4 and cursor control ['[71611616 aliov\ the operatoi 
to interact with system 730; 4he - euf*e r 620. Cursor control [[716JJ6J6 may be, for 

750 example, a mouse. In an alternative configuration, keyboard 1171411614 and cursor 
control j j 71 61161 6 can be replaced with a microphone and voice recognition means to 
enable an operator or machine to interact with system [1720.11 620. 
[0060] Communication interface 117 181161 8 enables system [[72011620 to 

communicate with other devices/systems via any communications medium. For example, 

755 communication interface |[7 1 811618 may be a modem, an Ethernet interface to a LAN, an 
interface to the internet, a printer interface, etc.. Alternatively, communication interface 
[[718JJ6JL8 can be any other interface that enables communication between system 
[[720]]620 and other devices, systems or networks. Communication interface II 71 811618 
can be used in lieu of keyboard [[7 141)614 and cursor control [[ 71611616 to facilitate 

760 operator or machine remote control and communication with system [{720)1620. 

[0054J As will be described in detail below, system [[72011620 may provide SS I 

operating within AS1 with the ability to perform source path isolation for a given 
TP[[I ]]. SSI may receive MP1 from IDS! and generate QM1 in response to processor 
[[7021 1602 executing sequences of instructions contained in, for example, memory 

765 [[7Q4.) 1604. Such instructions may be read into memory [[704]]604 from another 

computer-readable medium, such as storage device [[7081)608. or from another device 
coupled to bus 7 106 10 or coupled via communication interface [[71 8.])648. Execution of 
sequences of instructions contained in memory [[704] ]604 causes processor [[702 ]] 602 to 
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perfomi the method described in conjunction with FIG. 4. For example, processor 
770 [[702]]602 may execute instructions to perform the functions of deugmininf- receiving a 
hash value for MP I target packet ( step 402), receiving replies from queried routers (step 
408), and building a trace of the path traveled by TPjjljj (step 416). Alternatively, hard- 
wired circuitry may be used in place of or in combinat ion with softw are instructions to 
implement the functions of SS[[.]]L Thus, the disclosed embodiments of jjSS]]SSI are 
775 not limited to any specific combination of hardware circuitry and software. 

[0061 ] System 720 may also be used to enable SRI to pass data, store^nfe^nation 

ak> t rt~pt^fe e t s 4fHH - ^ 

may comput e , or determin e , a hash value ov e r an immutabl e portion of a packet using 

processor- -742 an^^ ¥h e ~ e ftee«tk?B 

780 el-in s te^ ^ 

■ i^feed-g eae m ll y-d^ 

time-to-live fi e ld of QM \ ( s t e p 504); d e t e muning if a pack e t has hem trans form e d ' (st e p 
■50-SBffld--sendi ng"a - ^ 
pfew - of or itHsefn&fta&en-w^ 
785 Thus the disclosed embodiments of SRI are not limited to any specific combination of 
hardware - and soitwar e r For example, the functionality may be implemented in an 
application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), 
or the like, either alone or in combination with other devices to provide desired 
functionality. 

790 

CONCLUSION 

[0062] As can be seen, the disclosed embodiments provide the functionality 

necessary to facilitate ['['the ]] source path isolation of malicious packets in a network. 
While the preceding disclosure is directed to an Internet Protocol ( IP) network, disclosed 
795 embodiments can be used in conjunction w ith other network protocols such as frame 

relay, asynchronous transfer mode (ATM), synchronous optical network (SONET), and 
the like, in addition, disclosed embodiments may be adapted to operate within different 
layers of a network such as the data link layer, network layer, transport layer or the like. 
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Furthermore, the disclosed embodiments are not limited to particular network topologies 
800 or architectures. 

[OflSSj Also, m e thods associat e d with determining a hash value for packets that 

hav e b e en seen may be-implemented-in-var^^ 

smif €e-ftrfh--iselM-ie«-4't , HrteFS--(-S Ra) heretofore discussed. Fer-exa^ip-leythe-tHet-hod 
discussed in conjunction with Fig. 5 may b e impl e m e nt e d in network switches, bridges, 
805 tosbaref-wifek^ 

disclosed methods ean4>e - i-n^ e mentgd"i.R-de€feated hardware subsyatems-of-pfocessors 
t ei»f - e ¥* d e ^ 

op e rat e on encapsulated data such as would be e ncounter e d if n e twork data were 

810 fraasmisswMfr^ve^ 

|0063] ¥ i » e -di s eb s ed-ta e # t ed s - for implementing a source path isolation server 

(SS) and a source-path i solution router (SR) are not limited to a single programming 
language or hardware architecture. For example, software for performing the functions 
of SS [[or SR ]]may be implemented in a high level programming language such as C, 

815 C>+, LISP, or the like. Alternatively, software may be implemented in a lower level 

language such as assembly language, or a device specific language, where requirements 
such as speed must be met. Furthermore, [[an 1JSS [[or SR ]]may be configured to 
communicate with, and make information available to, other devices operatively 
connected to a network using known programming languages and techniques. For 

820 example, it may be desirable to have SS make source path isolation solutions available to 
an. operator responsible for monitoring network security. In addition, [[an ]]SS [[or SR 
))can be implemented in a d ! tshion either by em lo v \ processors oi 
by having various components physically separated and coupled by a communication 
means such as a distributed bus, network, or the like. Also, it may be desirable to have 

825 [[an ]]SS communicate with one or more SRs over a dedicated network instead of using 
the network carrying data traffic among the SRs. For example, using a dedicated network 
may provide additional security, reliable bandwidth, or communication redundancy in the 
event that one or more links to an SR is disabled. 
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[9064] Query messages (QMs) and replies are not limited to a single network 

830 protocol or packet type, in many instances, it will be desirable to have QMs and replies 
transported us i t c is know n protocols; however, customized protocols and message 
types can be used. For example, it may be desirable to employ a smart packet for 
sending QMs to participating routers. A smart packet: is one that may contain a standard 
' ■ " aae , such as the data from a target packet, along with machine-readable eode 

835 eentaiBmg-^^eeutabl e -instructions for instructing a receiving device, such as an SR., to 
modify its operation in response to the contents of the executable [[code ]] instructions 
conta ined w -i tfe i n^ Smart packets facilitate rapid responses to 

network intrusions by al lowing an SR to modify operation soon after receiving a QM 
from [[an [[as SS, or a forwarded QM from a participating router. 

840 [0065} Furthermore, the disclosed methods can operate on encapsulated data such 

as would be encountered if network data were encrypted, converted from one network 
protocol to another, or a packet was split for transmission over more than one jink. A s 
can be seen, many variations of the disclosed embodiments are possible without 
departing from the spirit of the invention. 

845 [0066] Therefore, the present embodiments are to be considered in all respects as 

illustrative and not restrictive, the scope of the invention being indicated by the appended 
claims rather than by the foregoing description, and all changes within the meaning and 
range of equivalency of the claims are therefore intended to be embraced therein. 
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